choco

SPG is now and truly dead. Marriott is awful. Just cancelled my SPG AMEX card. Sad ending to a great
Starwood program.

tfong007

X-ON

Wow what a fiasco of a merger... It is really not that interesting if we attribute this to SPG Mickey Mouse security protocols or a subpar due diligence by Marriott the end result is a fiasco merger at best or catastrophic merger at worst. Mr Sorenson should thank his lucky star if he survives this.

OssianBlue

"Boss, we discovered hackers have access to the Starwood stay database. I just need your word to lock it down while we close it."

"Hold on there a second, we might lost some bookings. Tell you what, let's move the January integration target up to September since the Marriott stay database is clean. That will fix the security hole just fine."

oxfordjames

Have you even read the cause of this breach? This was an SPG issue!!

phltraveler

As I made post #48 , I don't think that it's useless finger pointing to point out that the breach started under Starwood but Starwood's liabilities are Marriott's, and express disbelief that a system that Marriott had been working on integrating with their own website/rewards IT for over two years remained compromised throughout the entire integration period, including after the Single loyalty program/website integration on 08/18, and that the security breach was only found after they had integrated the starwood reservation system/servers with Marriott.com and Marriott Rewards. Given that it's another failure on the part of the combined Marriott/Starwood from an IT perspective, groaning is going to come with the territory.

As far as what can be done, the faq on info.starwoodhotels.com is pretty comprehensive if actually read. The likelihood that someone would be able to acquire a credit line without a social security number might make a credit freeze excessive as a response to this specific breach (although a good measure anyways given other data breaches and just general safety of ones credit).

If you feel the information is not complete or is hard to find, might I suggest editing the wikipost on this thread instead? That way it's a centrally updated source visible regardless of the page one visits in this thread that can be updated by the community. Other than what Marriott has already provided via Kroll, I can't think of any other precautions at this time or info to provide.

Marriott instead claims via the info.starwoodhotels.com site that they were alerted to a potential data breach by a security tool on September 8th, closed the access of the unauthorized party on the 10th, and verified what the breach contained only on November 19th. If true, MR didn't knowingly rush any transition to deal with the breach.

Besides, the rewards programs were merged on 08/18 and Marriott.com was the central booking site, but booking any SPG hotel just took you over to the starwoodhotels.com subdomain - because the Starwood hotels were still using the legacy PMS at that time (over the past few weeks and coming months some properties have transitioned the properties to OPERA/Marriott reservations backend - PMS transition only happened at the end of October for Sheratons, for instance). That's why guest data post 08/18 (up until September 10th) is affected by this breach, but only at Starwood properties that still used the Starwoodhotels.com domain & Starwood reservations system.

With the minimum information transmitted for a hotel booking being a name and reservations not being required to contain a single reservations number (and a possibility for one individual to have more than one rewards account [accidentally or on purpose, or as a result of technical changes - like the pre-08/18 SPG numbers and then the post 08/18 merged Marriott rewards account numbers being within the dataset), Marriott likely cannot tell if reservation #78 under John Smith is the same John Smith as Reservation #361 or different.

With Marriott only decrypting the data dump on their servers on November 19th, that doesn't leave a lot of time for an exhaustive analysis to de-duplicate reservation records down to individuals (and the above factors making absolute de-duplication impossible anyways).

Marriott themselves on info.starwoodhotels.com uses the terms:

However, the nature of the above means it's likely that Marriott gave the worst case scenario by assuming every single reservation could be a different person. Marriott would catch infinitely less guff from the public/news outlets/governments for initially overstating the impact and correcting it to a smaller number than giving a smaller number and increasing it later.

fransknorge

tfong007

CJKatl

Granted, your post contained little finger pointing and additional information, but so many others are like this:

and this:

and this:

boss315

Look on the sunny side: This will mean some dirt cheap rates in the future to win back loyalty and just to gain trust back!

OssianBlue

And? What's inappropriate about venting after a colossal mess-up like this?

rny321

I have my own domain and I utilize numerous email addresses and unique formula-based passwords. When traveling, I can forward all relevant email addresses to a primary one. If (when?) an email is compromised, I can create a new one in about a minute and forward emails from the old one go into a SPAM folder. I realize when using gmail or a similar provider the process of creating and tracking multiple email addresses is more time consuming, but having a few different email addresses for online purchases may make sense for some people.

The credit cards I use and store on a company's website are rarely one of the ones I use for everyday spending. Since my Starwood Luxury card is rarely used anywhere except MPG hotels, it isn't that much of an issue if I need to cancel it.

At this point, enough providers I use have been hacked that I assume that my address, phone number and birthday have been widely disseminated. Although my passport info isn't on any hotel websites, I have stored it on some airline sites.

phltraveler

What happens if you use a corporate TA or other 3rd party TA to make a booking with international travel that includes a Starwood hotel along with airfare and rental car? Since it's all on the same booking in the GDS, would the passport be potentially transmitted as part of the booking info sent to Marriott?

pierre mclopez

Is this a red herring? It's a problem we acquired, we didn't create it.

rny321

Good question. I can't answer the question for others, but in my company passport information would only be transmitted to the airline. Since airline databases have been hacked, I am not naive enough to think my passport info has never been compromised. Still, the precautions I have taken minimize the inconvenience when the inevitable security breach happens.